View
39
Download
0
Category
Tags:
Preview:
DESCRIPTION
An Introduction to Decentralized Trust Management. Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio. The DTM team of the UT (Ha, Marcin, Jeroen Jerry). Overview. Reputation-based trust management Rule-based trust management - PowerPoint PPT Presentation
Citation preview
An Introduction to Decentralized Trust Management
Sandro EtalleUniversity of Twente
thanks toWilliam H. Winsborough – University of Texas S. Antonio.The DTM team of the UT (Ha, Marcin, Jeroen Jerry)
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 2
Overview Reputation-based trust management Rule-based trust management Problems & Challenges (rule-based
systems) scalability & chain discovery trust negotiation integrity constraints
Conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 3
Reputation-based TM concrete community of cooks (200 people) need to interact with someone you don’t
know, to extablish trust:
you ask your friends and friends of friends
... some recommendations are better than other you check the record (if any)
after success trust increases
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 4
Reputation-based TM virtual p2p community of hackers (2000 people)
exchange programs & scripts need to interact with someone you don’t
know, ...
difference with concrete community: larger, faster
trust establishment has to be to some extent automatic
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 5
for instance
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 6
challenges trust metrics
how to model and compute trust evaluating initial trust value combining evidences, recommendations, reputation
management of reputation data secure & efficient retrieval of reputation data
automating trust based decision closing the circle: using experience as
feedback
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 7
Reputation-based TM: salient features open system (different security domains) trust is a measure & changes in time risk-based recommendation based (NOT identity-based) peers are not continuously available Some systems:
PGP, EigenTrust Algorithm (Stanford)
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 8
rule-based TM: concrete example
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 9
rule-based tm, virtual
scalability reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 10
RT: a language for rule-based tm family of languages [Li, Mitchell, Winsborough] four types of credentials
EPub.discount Alice
EPub.discount UTwente.student
EPub.discount FAB.accredited.student
EPub.discount UTwente.student UTwente.student
principalrole nameprincipal.rolename = Role
trusting principal trusted principal (somewhere else: delegation)
reputation-based TM – rule-based TM – problems & challenges - conclusions
attribute-based delegation
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 11
some language requirements [Bertino]
Monotonicity Constraints (omitted) Credential combination Sensitive Policies
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 12
Reputation vs rule based TM open system (different
security domains) trust is a measure &
changes in time risk-based recommendation based
(NOT identity-based) peers are not continuously
available Some systems: PGP TBD
open system (different security domains)
trust is boolean & less time-dependent
no risk rule (credential) based
(NOT identity-based) peers are not continuously
available Some systems: keynote,
Trust-X
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 13
Problem 1: scalability
attribute-based delegation: accepting student ID from any university
EPub.discount FAB.accred.student FAB.accredited UnivTwente UnivTwente.student Alice
Credential chain proves authorization. Scalability problem
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 14
Problem 2: trust negotiations credentials can be confidential credential disclosure is a matter of... trust three strategies [Seamons]
Naive Reasonable Informed
additional problem: what do you do with the info in a credential after it has been disclosed
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 15
Problem 3: control Policies change in time: P P1 ... Pn
A principal controls only a portion of the policy
Delegating trust implies an understanding between principals,
Trusted principals need assistance Who could get access to what? (Safety) Who could be denied? (Availability)
“No-one should ever be both a buyer and an accountant” Mutual Exclusion
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 16
Conclusions Context:
2 or more parties in an open system. parties are not in the same security domain.
Goal establish trust between parties to exchange information
and services (access control) Constraint
access control decision is made NOT according to the party identity BUT according to the credentials it has
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 17
Open problems Analysis
safety analysis we are now working with Spin
in RT0, for RTC (with constraints) nothing is available
of negotiations protocols w.r.t. the TM goals.
Integration with other systems e.g.
privacy protection location-dependent policies
ambient calculi? DRM
Semantics is not correct when
considering: chain discovery negotiations
is not modular certainly possible to
improve this using previous work on omega-semantics.
Types
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 18
Integrity Constraints: General Form
General: L.l ⊒ R.r Formally, L.l ⊒ R.r holds in P (P ⊢ L.l ⊒ R.r) iff [[L.l]]P [[R.r]]P sets and intersections are allowed
Special cases Membership: A.r ⊒ { D1, …, Dn } Boundedness: { D1, …, Dn } ⊒ A.r
expressiveness is limited (it is a universal formula) but we can express all safety properties of [LWM03]
counterexample: at least a manager should have access to the DB
IPA Herfstdagen SecurityEtalle: Decentralized Trust
Management. 19
Examples buyers and accountants should be disjoint
⊒ A.buyer A.accountant
every employee should have access to the WLAN network WLAN.access UT.employee⊒
welders of BOVAG-accredited workshops should be fellows of the British Institute of Welding
Bovag.welder Bovag.accr.welder Bovag.accr PietersWorkshop PietersWorkshop.welder Pieter
BIW.fellow Bovag.welder⊒
Recommended